httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Mixon <rnmi...@custco.biz>
Subject [users@httpd] Preventing an open proxy with both a single SSL virtual host and a non-SSL virtual host
Date Thu, 13 Feb 2014 07:16:25 GMT
We've setup a new Apache server on Centos 6.4, httpd 2.2.15.

The site is running SSL with a single Wordpress virtual host. We do use
mod_proxy to forward some requests to back-end systems our CAS
authentication system and a couple of other back-end systems we need a
limited amount of content from. We've done this often in the past, but this
configuration is a bit different.

All was fine until we created a simple (additional) virtual host on port 80
for the sole purpose of redirecting users that forgot to type in the https
in the url. After that we started getting flooded with requests such as the
following:

64.120.77.151 - - [13/Feb/2014:00:03:05 -0700] "GET
http://ads.yahoo.com/st?ad_type=iframe&ad_size=160x600&section=4660128&pub_url=${PUB_URL}HTTP/1.0"
403 283 "
http://creditsxchange.com/index.php/hotdeal/5536-the-times-of-india"
"Mozilla/5.0 (Windows NT 7.1) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.112 Safari/534.30"

We shut the port 80 virtual host down and everything was returned to normal
and we started looking for a solution. We came across what appeared to be a
couple of excellent articles that addressed the problem:

1) The "Why do I see requests for other sites appearing in my log files?"
section at http://wiki.apache.org/httpd/FAQ

2) The solution on this posting
http://serverfault.com/questions/283200/my-virtualhosts-overlap-and-my-namevirtualhost-has-no-virtualhosts

Well what seemed a nice clear solution has not worked so well. I'm thinking
it is because we have both a single SSL virtual host and a (now two)
non-SSL host.

Our main httpd.conf file contains:
  ...
  ## ***************
  #Listen 80
  Listen 443
  ## ***************
  ...
  NameVirtualHost *:80
  NameVirtualHost *:443
  ...
  Include conf/VirtualHost.d/*.conf

then we have what is now a single Virtual Host config file - but was
originally three (01-vhost.conf, 02-vhost.conf and 03-vhost.conf), I
combined them thinking the ordering might not be correct.

Anyway here's the content of the Virtual hosts config:

# Purpose is to prevent open proxy configuration.
# This Virtual Host config must be named so it appears first,
# i.e. 00-default.only.conf
<VirtualHost *:80>
    ServerName default.only
    ErrorLog logs/default.only-error_log
    CustomLog logs/default.only-access_log combined
    <Location />
      Order allow,deny
      Deny from all
    </Location>
</VirtualHost>

# This is the virtual host we really need on port 80
<VirtualHost *:80>
    ServerAdmin RNMixon@CustCo.biz
    DocumentRoot /var/www/community.acmeinc.com
    ServerName community.acmeinc.com
    ErrorLog logs/community.acmeinc.com-error_log
    CustomLog logs/community.acmeinc.com-access_log combined

    ProxyRequests Off
    ProxyPreserveHost Off

    RewriteCond %{HTTP_HOST} ^community\.acmeinc\.com [NC]
    RewriteRule / https://community.acmeinc.com/ [L,R,NE]

</VirtualHost>

# This is the main real virtual host
<VirtualHost *:443>
    ServerAdmin RNMixon@CustCo.biz
    ServerName community.acmeinc.com
    ErrorLog logs/community.acmeinc.com.ssl-error_log
    CustomLog logs/community.acmeinc.com.ssl-access_log combined

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/community_acmeinc_com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/community.acmeinc.com.key
        SSLCertificateChainFile
/etc/pki/tls/certs/community_acmeinc_com.ca-bundle
        SSLProxyEngine On
        SSLProxyCACertificateFile /etc/tomcat7/tomcat-server.pem

    ProxyRequests On
    ProxyPreserveHost On

    <Location /cas/>
      ProxyPass https://community.acmeinc.local:8443/cas/
      ProxyPassReverse https://community.acmeinc.local:8443/cas/
    </Location>

    <Proxy https://community.acmeinc.local:8443/cas/>
      AllowOverride None
      Order allow,deny
      Allow from All
    </Proxy>

    <Location /TicketSales/>
      ProxyPass http://www.acmeinc.local/TicketSales/
      ProxyPassReverse http://www.acmeinc.local/TicketSales/
    </Location>

    <Proxy http://www.acmeinc.local/TicketSales/>
      AllowOverride None
      Order allow,deny
      Allow from All
    </Proxy>

    <Location /rhythm/>
      ProxyPass https://community.acmeinc.local:8443/rhythm/
      ProxyPassReverse https://community.acmeinc.local:8443/rhythm/
    </Location>

    <Proxy https://community.acmeinc.local:8443/rhythm/>
      AllowOverride None
      Order allow,deny
      Allow from All
    </Proxy>

    DocumentRoot /var/www/community.acmeinc.com
    <Directory /var/www/community.acmeinc.com>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
        Order allow,deny
        allow from all
    </Directory>

</VirtualHost>

Problem - if we uncomment the "Listen 80" directive to let the port 80
virtual hosts work, we become an open proxy again.

Here is the output from a dump of the virtual host config:

/usr/sbin/httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server
community.acmeinc.com(/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:30)
         port 443 namevhost
community.acmeinc.com(/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:30)
*:80                   is a NameVirtualHost
         default server default.only
(/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:4)
         port 80 namevhost default.only
(/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:4)
         port 80 namevhost
community.acmeinc.com(/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:15)
Syntax OK

What am I missing? Any help or hints is greatly appreciated.

Thank you -


-- 
Richard Mixon
Custom Computer Creations, L.L.C.
mobile: (480) 577-6834 office: (480) 614-3442
email: rnmixon@CustCo.biz <mailto:rnmixon@CustCo.biz>
Microsoft Partner ID: 1263725
The messages and documents transmitted with this notice contain
confidential information belonging to the sender. If you are not the
intended recipient of this information, you are hereby notified that any
disclosure, copying, distribution or use of the information is strictly
prohibited. If you have received this transmission in error, please notify
the sender immediately.

Mime
View raw message